Flame Malware Hijacks Windows Update 268
wiredmikey writes "As more research unfolds about the recently discovered Flame malware, researchers have found three modules – named Snack, Gadget and Munch – that are used to launch what is essentially a man-in-the-middle attack against other computers on a network. As a result, Kaspersky researchers say when a machine attempts to connect to Microsoft's Windows Update, it redirects the connection through an infected machine and it sends a fake malicious Windows Update to the client. That is courtesy of a rogue Microsoft certificate that chains to the Microsoft Root Authority and improperly allows code signing. According to Symantec, the Snack module sniffs NetBIOS requests on the local network. NetBIOS name resolution allows computers to find each other on a local network via peer-to-peer, opening up an avenue for spoofing. The findings have prompted Microsoft to say that it plans to harden Windows Update against attacks in the future, though the company did not immediately reveal details as to how."
And an anonymous reader adds a note that Flame's infrastructure is massive: "over 80 different C&C domains, pointed to over 18 IP addresses located in Switzerland, Germany, the Netherlands, Hong Kong, Poland, the UK, and other countries."
whoops (Score:5, Insightful)
and you thought Conficker was bad!
Re:whoops; ASK SLASHDOT... (Score:3, Interesting)
OK, my notebook that still has Windows on it (out of pure laziness) has been nagging me about a security update for a couple of days, yesterday I went ahead and updated. Should I worry?
Re:whoops; ASK SLASHDOT... (Score:4, Funny)
Of course, it's running Windows.
The preceding was meant tongue-in-cheek but even having said that there'll probably still be Linux/MS fanbois who want to take it seriously and start a flamewar.
Re: (Score:3)
Re:whoops; ASK SLASHDOT... (Score:4, Informative)
Otherwise, that security update was probably Microsoft's emergency blacklisting of the signing keys that were used to make the Flame components pass as MS-signed software...
Yes but make sure you UPDATE after reinstall (Score:5, Informative)
...Oh, wait.
OTOH, go to a network with no Windows systems, download update containing certificate revocations, and burn to CD before reinstalling and updating.
Re:whoops; ASK SLASHDOT... (Score:5, Funny)
First, there are hardly any infections outside the Arab-world. (my guess is that it just takes a look at the keyboard driver in use) Going by your username you're not an Arab guy.
Second, the virus seems to be activated by some kind of a human operator, and well... you are probably not important enough (read: high level nuke scientist or something)
Third, this thing is in the wild since 2010, maybe even as early as 2007, and you didnt get infected in all the updates since then (I assume), or it is to late anyway.
Fourth, you use Windows and then ask if you might catch a virus? Seriously?
Fifth, to be absolutely safe: format your HD a couple of times, get OpenBSD on it with a strong root password (at least 128 characters), get the battery out and pack the thing in a lead box with walls at least 5 inch thick, fill the rest of the box with epoxy and bury the whole thing on a depth of at least 10 feet... on Pluto...
Re:whoops; ASK SLASHDOT... (Score:4, Insightful)
Iran is an Arab country now? Did anybody let them know? The rest of the comment is unfounded speculation and recycled nonsense. To everyone who modded "informative": doh!
Re: (Score:3, Insightful)
Most Americans can't understand the differences between Persia and East Boise.
Re: (Score:3, Funny)
Of course. Americans are all idiots but somehow stil manage to lead the world in economic, military, and computer technology. It's a mystery.
Re: (Score:3)
Even if the bell curve is skewed in the wrong direction (I'm not saying it is but many people seem to think so) the shear number of people means that there are plenty in the population near the top end of the curve capable of great innovation and there are so many at "reasonable average" levels such there is brawn and brain power available to make innovations work for the economy and feed back into the population to complete the cycle (overpowering the effect of the agents at the lowe
Re:whoops; ASK SLASHDOT... (Score:4, Funny)
Of course I know the difference between Persians and East Boisans. Persians have the annoying tendency to say "Bro" after every other word, drive Mercedes and threaten to cut your balls off if you even look at a Persian girl. East Boisans say "Y'all" after ever other word, drive Ford F150s and fantasize about their sisters.
Greetings from LA.
Re:whoops; ASK SLASHDOT... (Score:4, Insightful)
Re:whoops; ASK SLASHDOT... (Score:4, Insightful)
I think it may be better to say it is an attack targeted at specific regions or countries. Kaspersky had most of the module signatures in their database over 2 years ago and decided not to flag them as active malware. Most malware programs are small in size and spend a good deal of time trying to masquerade or hide itself from virus scanners. In Flames case it was a huge program using SQLLite and other normal business related applications to do the work. It was made to look like a normal business application which basically was hiding in plain sight that virus scanners determined harmless. The guys who built Flame and Stuxnet make Anonymous and other script kiddies look ridiculously stupid. As more and more applications get flagged as malware the only thing people will be able to actually run is the OS.
Re: (Score:2)
Flame is not "Arab-centric". The tool kit exists now, and it will spread around the world. Every micro-generation has to learn the same lesson... and promptly to forget it: dump Windows. It's beyond compromised. That's why businesses and spooks like it. It defines police state software... sigh.
Re: (Score:3)
amen. I'm sure there are Russian hackers right now thinking "oh no, we can't copy Flame for our own purposes because it only attacks Arab countries".
I wonder if a Flame variant is already out there, quietly waiting to do its thing after the fuss has died down a little? If Windwos Update tries to download a special certificate hotfix from mikrosoft.ru, I'd be reinstalling the entire OS.
Re: (Score:3)
First, there are hardly any infections outside the Arab-world. (my guess is that it just takes a look at the keyboard driver in use) Going by your username you're not an Arab guy.
I doubt it looks at keyboard drivers to decide who to infect. I know a lot of people here in the US that have Arab keyboard drivers on their computers that aren't Arab, or obviously even in the Middle East. I'm one of them. Pretty much any university student studying Arabic has an Arabic keyboard downloaded for their computer. Simply looking at that would cause the malware to spread way too far, and cause way too much collateral damage if it's intended to be a targeted attack.
Re: (Score:3, Funny)
And then nuke it from orbit.
Re: (Score:3)
Re: (Score:3)
Re: (Score:2)
Whoever wrote Flame got legit certs from MS somehow. So it seems a bit hypocritical of MS to acting so innocent and violated at this point.
Re:whoops (Score:4, Informative)
The certificates weren't legit. Whoever created them used a vunrability in the signing algorithm for the MS Terminal Services license cert to make it look like they had a certificate from Microsoft.
Stupid coding by MS but it doesn't show that they were complicit in the release of Flame.
Re:whoops (Score:4, Insightful)
How do you know that?
Re: (Score:2)
Re:whoops (Score:4, Informative)
So your claim is that because no safe is absolutely unbreakable, you should just put your money out on the curb in a pile and call it good?
If Windows is a piggy bank, Linux is at least a lockbox. Neither is invulnerable, but one is clearly more secure than the other.
As for why, MS managed to lose control of (or whore out) the one true cert that all Windows installations are dependent on. In spite of that being public knowledge they haven't revoked it.
So there you have it, Windows is a piggy bank guarded by a crack ho :-)
Re: (Score:2)
Except they did revoke it. That's what the emergency security update they pushed out yesterday was all about.
Re: (Score:2)
So there you have it, Windows is a piggy bank guarded by a crack ho :-)
To be fair, the crack needed to bypass the security can be fairly difficult for some people to obtain.
No pun on 'crack' intended.
Re: (Score:3)
I'm guessing there are a lot more high value Linux servers out there than Windows.
The difference is the payoff. A successful attack on a Linux box will likely be detected and dealt with promptly while there is a metric assload of Windows boxes still infected with conficker.
Re: (Score:2)
You are mistaken. There are still more active Windows servers than Linux servers. Not saying I consider one better than the other but the numbers don't lie. And what makes you think a Linux exploit can be detected and dealt with promptly? Do you honestly believe that all Linux administrators are geniuses? Incompetent administrators are not determined by the OS.
Re: (Score:2)
I think there's a lot more Windows boxes being run by non-IT people who have no business running any server. Linux (Unix in general) provides better tools to examine the system and better isolation between users and kernel. In part, that's a matter of legacy since an awful lot of 3rd party software for Windows assumes Administrator level access.
And I said high value servers. That is servers that would affect a lot of users or where there could be serious consequences to a compromise. The dusty domain contro
Re: (Score:2)
The sole purpose of most malware out there is to create botnets; for those, machine count is the only thing that matters, so 10 desktops are much more valuable than a single server.
Of course, it also helps that said desktops usually aren't well monitored, and the person running them has no clue about what malware even is - all they know is that they've clicked on the link in that email that said that it's where you click if you want to see COOL LESBIAN PIX!, and now their PC is somewhat sluggish. But, again
Re: (Score:2)
There is one fundamental difference though: With FOSS, you have no scruples downloading and installing a new version from scratch (assuming /home is on a separate partition.) And the proliferation of platforms, variants and distros makes for a resilient ecosystem with even less target cross section for each version.
Re:whoops (Score:5, Interesting)
While they're at it (Score:5, Interesting)
Re:While they're at it (Score:5, Informative)
I get a lot of mileage out of Windows Repair Portable [majorgeeks.com]. It restores settings for a large number of issues that don't have a regular, non-painful reset/repair/reinstall option. I've found it particularly handy for fixing the Windows Firewall and Windows updates.
I'd prefer to do a reinstall under almost all circumstances of malware infection, but that's not always an option available for home or small business systems. I particularly dislike having to rely on Windows System Restore. I really wish modern versions of Windows had a painless repair install that would allow end users to keep programs and settings.
Re: (Score:2)
I really wish modern versions of Windows had a painless repair install that would allow end users to keep programs and settings.
Windows 8 has something like it. http://www.addictivetips.com/windows-tips/how-to-refresh-or-reset-your-windows-8-pc-complete-guide/ [addictivetips.com]
Re:While they're at it (Score:5, Informative)
Who repairs a windows install? Really, it's not worth anybody's time. If you're qualified enough to remove a modern rootkit with any real guarantee of future security, then the value of your time spent removing said infection is more than the total cost of a new PC. Not even remotely kidding.
Installing windows while recovering user data is fast and easy. Modern rootkits are too good. The only reasonable course of action when you have an infection is wipe and install. - Make sure you clean the boot sector! (It's not a bad idea linux boot cd/usb flash drive and dd zeros over the first few megabytes of the drive. This will wipe out the boot sector, partition table/disk label/whatever, and any other places low level nasties generally reside. Plus, your OS installer will see a nice fresh unused drive and will feel free to lay down new partitions as it sees fit, and will not be tempted to do anything stupid like attempt a repair or upgrade)
Re: (Score:2)
I've actually lost clients from advocating reinstall as a standard procedure after infection. The usual claim is that it's an excuse for me to pad a bill. I know a repaired system is substantially more vulnerable than a known-clean new install is, and I can make a good case for that with my customers, but that doesn't mean they all go along with it and at some point I decided that it's not really a battle that's worth fighting.
Comment removed (Score:5, Informative)
Re: (Score:2)
I do that for small business machines. I know all about Sysprep and .wim files. Believe me. I also leverage the fact that there are free versions of TrueImage available for anyone whose machine includes a WD, Maxtor or Seagate hard disk. That doesn't help much to address home machines or personal laptops.
One thing in particular that I've found to be problematic in relation to getting Windows reinstalled is fear of losing purchased itunes content. If I had to guess, that's a bigger issue than absolutely anyt
Re: (Score:3)
That's very old school. Anything important should be a VM these days - not only is snapshotting, cloning (if needed), and reverting trivial with any of the major virtualization products, but most of them also give you a way to access the guest filesystem from the host, which allows for far easier viruse removal (a rootkit on the guest is no impediment to the host).
Re: (Score:2)
Re: (Score:2)
VMs suck for anything requiring decent video performance and GPU acceleration.
That's completely true. How often does that come up for a business destop (or server!), though? At home I have a gaming PC, and everything else is a VM on a server.
, nothing beats bare metal for performance
While that's important for someone overclocking a machine to chase a benchmark (or research computing, which can be indistinguishable from that), to basically everyone else that's irrelevent. Performance per cost of ownership is the goal, and keeping "software repair" costs down are a big part of that. That's a big attraction of desktop virtua
Re: (Score:2)
Re: (Score:3)
For the most part. Windows 7 Pro, Ultimate/Enterprise editions already includes a nice backup utility that can be scheduled and provide BMR restore functionality
Have you ever tried to use that though? It's not at all what you'd expect from a backup product - never could figure out how to use it to move to a new boot drive. I moved everything but my gaming rig into VMs so I never have to sweat hardware changes again.
Also, I've seen plenty of MS Exchange and SQL servers VMed that have had their disk I/O suck wind. And that's when their virtual disks have had its free space preallocated. I'm sure this is a solvable problem and mostly due to both improper implementation and over commitment of a shared SAN. But still, it doesn't bode well to virtualize disk I/O intensive servers and applications.
Yeah, it just requires a deep config understanding (I leave that to the experts where I work) for server I/O. There's very little overhead when set up properly
Any real geek has overclocked something, somewhere. Next you'll be telling me you've never
Re: (Score:2)
Re: (Score:2)
I'll have to give it another try. I really liked NTBACKUP and (early) Backup Exec though - just wrote files to tape (or disk) as a stream, nothing fancy once it was written.
Win7 backup only seems to want to backup some certain files, and I'm never sure what it did and what directories were actually backed up. It doesn't seem to have a mode where it just writes the C: drive out (follwed by whatever other drives).
Windows? Impervious? (Score:5, Insightful)
Funny thing to say about any version of Windows.
Question remains: how comes those people are so dumb? Being at de-facto cyberwar with a country, and still use closed source program originating from it?
Another one: Be rich and smart enough to have a nuclear research, but not smart enough to roll its own IT infrastructure base on code they can audit?
Re: (Score:3)
Nuclear research is easy. Good software design is hard.
(This statement meant to be both more and less tongue-in-cheek than you expect.)
Re: (Score:2)
"Good software design is hard."
Not really. It's just more costly.
We know how to build good software design.
Re: (Score:2)
We know how to build good software design.
For example? SE Linux is pretty good, but it's quite hard to configure, and without a good per-application config it loses its advantage.
There are security products for Windows which achieve the same thing as SE Linux, BTW, but those too are all about the configuration. It's not that the Windows kernel is insecure, it's that people tend to run consumer software on their Windows install (and there's still too much crap "on" by default: Win2008-r2 made a large stride in the right direction there, but it sti
Re: (Score:3)
This is what happen when a country 'buys' into a technology. None of the infrastructure is there,.
Re: (Score:2)
Because to many people, "Windows is the computer".
Also, there are plenty of "dumb" Americans using the same OS for the same reason.
"Another one: Be rich and smart enough to have a nuclear research, but not smart enough to roll its own IT infrastructure base on code they can audit?"
Uh oh......
Re: (Score:3)
Even Ivan took shortcuts. Read about the Savatage of the Trans-Siberian Orchestra [wikipedia.org]. (D'oh, stupid auto-complete!)
Re: (Score:2)
Even Ivan took shortcuts. Read about the Savatage of the Trans-Siberian Orchestra [wikipedia.org]. (D'oh, stupid auto-complete!)
Good reading that...
I wonder if there's a Russian source linking Space shuttle explosions with bugs-in-stolen-code, you know, that code stolen from Russians to drive space program...
Maybe Russians inserted FOR I = 1.100 DO... in rocket's code...
A lot of tongue in cheek, but... cyberwar in 1982 is as credible as is Wargames scenario, Joshua playing TicTacToe... Who wants to believe - he will. Me - I like harder facts than random writing on the wall called wikipedia.
Re:Windows? Impervious? (Score:5, Interesting)
Flame is using tech that is not Stuxnet-related... this is beyond Israel's and the US's not-so-secret war with Iran. This code means that no Windows machine in the world that uses MS updating will ever be trustworthy... unless you apply a huge dose of collective amnesia and shoulder-shrugging denial.
Question: is there a collusion between some dark back office at MS and the spooks, thru which the spooks get digitally signed certificates? Is the "bug" intentional? MS and Apple have been quietly cooperating with the FBI, NSA and the spooks almost since day one... how much? Are we just seeing the corner of the machine?
Is Linux or BSD safe? I don't mean from a man-in-the-middle attack; I mean a man-under-your-feet attack. What if chip or mobo makers install cracks in the hardware itself, on the order of US (and Chinese) spooks? I don't think we can trust the hardware made in the last ten years or so. We may have to go to printing our mobos someday - and how then would you trust the mobo designs didn't have backdoors in their software, somehow, or in updateable firmware?
Iran should have known better, how, and how would they get around using Windows even if they wanted to - the equipment they buy is welded to Microsoft. I doubt there are many open sourced centrifuge software packages.
Re: (Score:2)
Flame may not be using the same tech, but it is highly advanced and uses a lot of the same attack vectors that Stuxnet and Duqu used. It definitely wasn't developed by the team behind those 2 malware packages, but more of a parallel project that used some of the same tricks.
It still feels very much like an NSA lead attack on the middle east.
Re: (Score:2)
Yes but, by highjacking a Microsoft certificate you are pretty much Fu$$ed since there is no detection UNLESS you update your root certificates.
When was the last time we updated our root certificates without going through Windows update?
TFA says Win 7 64 bit not vulnerable? (Score:5, Interesting)
Re:TFA says Win 7 64 bit not vulnerable? (Score:5, Informative)
Anyone know what this is about it's in the last paragraph
"It's interesting to mention that these machines mostly run Windows XP and Windows 7 32 bit, but none of them run Windows 7 64 bit, which seems impervious against this and most other malware."
Is that due to driver signing requirements?
"Hardware-based DEP (Data Execution Protection), for example, is turned on for all 64-bit processes. Kernel Patch Protection (a.k.a. PatchGuard) protects access to internal operating system data structures. And device drivers must be digitally signed with a certificate issued by a trusted certificate authority. Finally, none of the large body of malware written as 32-bit drivers or any 16-bit code will run at all on 64-bit Windows."
http://securitywatch.pcmag.com/malware/284281-is-64-bit-windows-safer-than-32-bit
Re: (Score:2)
They already have the code to sign their drivers though, just like they're signing everything else.
Re: (Score:2)
it might be that it's just not a target, fragmentation ftw i suppose.
but it beats me why it wouldn't be vulnurable to the windows update with rogue cert hijack though, nothing about dep or driver signing should affect that attack vector..
Re: (Score:2)
Driver signing is about DRM, not security (Score:5, Informative)
Is that due to driver signing requirements?
Driver signing doesn't mean squat for security. Third-party drivers with security holes and back doors are a dime a dozen, and there are even some in Microsoft drivers, of course. I have a publicly-available CPU diagnostic utility that comes with a signed 64-bit driver that allows user mode to write to any desired MSR. That easily leads to executing arbitrary code execution, most easily by changing the syscall vector. Malware that acquires administrator privileges can just install some company's vulnerable driver.
Driver signing is really about DRM. Hollywood was strongly concerned about fake video card and sound card drivers being used to dump unencrypted content from protected sources. The proof of my statement is what happens when you boot the Vista/7/8 kernel in debug or test signing mode: everything works except Blu-Ray movies and other DRM content.
So should I... (Score:3)
disable NetBIOS ?
I don't think I'm using it for anything... even my printer is set up with an IP address.
Re:So should I... (Score:5, Informative)
The answer to that has been a resounding yes ever since NetBIOS was introduced. It was always a windows only way of doing things that already had other non-proprietary standard ways of being accomplished. It has also been a vector for various malware over the years.
Re: (Score:2)
I don't understand (Score:2)
Why is Windows Update using netbios? I thought the A record DNS results for update.microsoft.com and related were hard coded in the OS to prevent these sort of spoofing attacks.
Is this something with the WSUS based updating procedure?
Re: (Score:2)
I don't know the details of this attack, but most corporate desktops don't update from update.microsoft.com, but from an in-house update server (many big companies insist on this - they want firm control of when and which patches go out). Presumably that's the attack vector.
Re: (Score:2)
Gotta blame MS on this one. Fucking stupid that all copies of windows come by default with so many insecurities. Instead of making people enable what they need.
I just installed a recent Ubuntu, and it comes with a ton of crap on-by-default as well. And the patching seems to be more frequent, and far more MB to download each week (whether that's a good thing or a bad thing is a matter of debate, I guess).
Most Windows machines get infected through Flash or Java or some similar borwser-addition these days. Windows has had su-style popups needed to do real harm for 5 years now, and I'm sure that helps a bit, but there's just not much an OS can do. An "app store" mod
Cyberthings (Score:2)
Certificate was revoked by an emergency patch (Score:5, Informative)
I saw an article about this already on Ars Technica. However, Ars included one detail that the Slashdot and Security Week stories don't:
Microsoft issued an emergency update [technet.com] Sunday that updated the Windows Certificate Revocation List specifically to expire the certificate used by this exploit.
Re:Certificate was revoked by an emergency patch (Score:4, Insightful)
I guess that will work well, as long as you have a machine that talks to Windows Update and not Flame Update.
Did anyone NOT see this coming? (Score:4, Insightful)
When Windows Update was introduced, the first thought to go through my mind was, "I wonder how long until someone compromises this and uses it to push out malware." It took a lot longer than I thought.
Re: (Score:3)
Any centralized software distribution channel is vulnerable to this sort of thing if you can't keep the signing keys secure. The major fuck-up here was that those keys were leaked, and not even maliciously (e.g. by infiltrating MS or using people skills to tease them out), but out of sheer incompetence on behalf of the authors of the software that did it.
Hang on (Score:2)
Re: (Score:2)
Re: (Score:2)
You assume that the patch is effective.
Who Paid for the C&C Servers? (Score:4, Interesting)
My question is where did the money for the C&C servers come from? Those C&C domains were paid for with stolen credit cards and stolen identities. The same thing was used to purchase the VPSs used as the C&C servers. Why isn't there an outcry because the US government stole the identities and credit card numbers of private individuals to make these botnets? Where did they get these stolen identities? Did they use criminal means and buy them on the black market from other botherders? Did they just open their own files and roll the dice choosing people at random?
Re:Who Paid for the C&C Servers? (Score:4, Interesting)
The US government has admitted to authorizing stuxnet. Now it looks like Flame is probably also a government authorized weapon.
Exactly who admitted to authorizing stuxnet?
I'm still trying to get my head around (Score:2)
Re:Looks good for Windows 8 sales (Score:5, Insightful)
Umm.. the developers behind Flame were able to hijack Windows update, gain access to a Microsoft code signing and website signing key, stay undetected in the wild for at least 2+ years.
But System Restore 2.0 is going to stop them? Your average piece of malware can survive a system restore...
Re:Looks good for Windows 8 sales (Score:5, Informative)
Indeed certificate revocations went out on the 3rd.
http://support.microsoft.com/kb/2718704 [microsoft.com]
And as you've said, system restore 2.0 won't stop them. And malware survive? It gets worse than that, some of the more vicious ones inject themselves right into the SR backup, and edit the backed up hive. Unless you can remove it fully, you're kinda shot. Which can also mean disabling SR.
Re: (Score:2)
Disabling SR seems to be the first step of removing any malware these days.
Yep. I actually had a really nasty one a variant of the lovely TDSS that actually injected itself into a backup that was on a remote. Now that was a living hell to get rid of.
Re: (Score:2)
Even if it does, a single infected machine on the network will intercept the next windows update request, and re-infect your recently reset machine.
There's no way you can work around it, except by not-having any other windows-computers in the network.
Re: (Score:2)
Even if it does, a single infected machine on the network will intercept the next windows update request, and re-infect your recently reset machine.
Download yesterday's cert revocation patch from technet.microsoft.com and manually install before connecting to the network (should be doing that for most critical patches after an install anyway).
Re: (Score:2)
Your average piece of malware can survive a system restore...
I think you use the word "average" differently than I do.
Re: (Score:2)
Re:Looks good for Windows 8 sales (Score:4, Insightful)
To be fair, a malware writter could not care less if their software breaks 10-20% of the PCs it attempts to hijack.
Make MS brick 5% and the cost to them could be astronomical.
So, it is not simmetric warfare.
Re: (Score:3)
What's at issue is that one side doesn't fucking care that they're in one, and their responses are always reactive/responsive and half-assed.
What does Apple have to do with this story?
Re:As Microsoft continues its effort to keep its u (Score:5, Funny)
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Wouldn't help. Slashcode doesn't support it.
Re: (Score:2)
To fix a security hole, you have to release software with those holes first. Maybe all the rest can't compete, because they can't add up so many huge security holes.
Re: (Score:2)
or best?
Re: (Score:2)
Re:Known fix for this problem... (Score:4, Informative)
Hindsight is when something is obvious in retrospect. a paper published before the infection is not hindsight, but foresight.
That said, I love how clicking on the link to a paper about a security vulnerability leads to my browser giving a security certificate warning....
Re:Wait until someone does the same with UEFI (Score:5, Insightful)
That's just not the way malware works any more.
Early viruses were great, they did something obvious like put dialog boxes on your screen, ask for cookies, wipe your hard drive, or other obvious malicious behaviour. This was a good thing because it meant that they would never really spread that far because once infected, people knew they were infected, and the infection caused enough trouble to be worth fixing.
Modern malware is a completely different beast, the goal of modern malware is to be unnoticed by the end user so as to live as long as possible in the machine, and spread to as many others as possible. usually with the goal of leeching bandwidth from these machines for use in various botnets. As such, malware that causes your machine not to boot would defeat the purpose of modern malware. a machine that isn't booted up will not join a botnet, and will not spread to other machines.
What is more likely is that the virus writers will intercept the keys used by UEFI, manage to sign their own bootloader, and still run windows in a way that the average end user can't tell the difference. this will make the virus almost impossible to remove as it will then have more access to the system than even the operating system itself does. On the bright side, once the UEFI keys are in the wild, the various free operating systems can use those same keys to sign their own bootloaders allowing people to run non-windows software in a signed way on windows only hardware (call it jailbroken...)
Re: (Score:2)
All the people who say "if you run windows you will get a virus" make me laugh. I have run windows OS's for 15 years and have only been infected by one virus
I agree, that's pretty funny. Did you not believe them?